LPTokens
for StakingFundsVault
can be rotated above max
#329
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-132
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/main/contracts/liquid-staking/ETHPoolLPFactory.sol#L83
Vulnerability details
Impact
By rotating more than max
eth
intoStakingFundsVault
a malicious user can block the validator staking for that public key from happeningThe malicious user can withdraw this at any time (when they are cold > 30 min) as well, so they only commit the
eth
for as long as they want.This doesn't necessarily need to be a malicious user, could happen by mistake. However then the user could simply withdraw the
eth
mistakenly rotated.Proof of Concept
ETHPoolLPFactory
is shared between bothStakingFundsVault
andSavETHVault
, however the max tokens you can rotate uses the hard coded max24 eth
fromSavETHVault
which allows you to mint moreStakingFundsVault-LPTokens
than intended:liquid-staking/ETHPoolLPFactory.sol
The key cannot be used to start validator staking due a check for exactly
4 eth
inliquid-staking/LiquidStakingManager.sol
:PoC forge test in
LiquidStakingManager.t.sol
:Tools Used
vscode, forge
Recommended Mitigation Steps
Use
maxStakingAmountPerValidator
instead of24 eth
:The text was updated successfully, but these errors were encountered: